Network resource control system

ABSTRACT

A network resource control system allows network terminals to communicate with network resources, and includes a resource registry, an authorization server and an administration server. The resource registry includes resource records which are associated with the network resources and define at least a user access level for each network resource. The authorization server is in communication with the resource registry and controls network access to the network resources in accordance with the resource records. The administration server is in communication with the resource registry and provides controlled access to the resource records. The administration server receives user access control data from administrators of the network resources for incorporation into the resource records. Depending upon the user access control data received, the authorization server configures the network terminals for communication with the network resources.

FIELD OF THE INVENTION

The present invention relates to a method and system for networkmanagement system. In particular, the present invention relates to amethod and system for controlling access to network resources.

BACKGROUND OF THE INVENTION

Local area networks are widely used as a mechanism for making availablecomputer resources, such as file servers, scanners, and printers, to amultitude of computer users. It is often desirable with such networks torestrict user access to the computer resources in order to manage datatraffic over the network and to prevent unauthorized use of theresources. Typically, resource access is restricted by defining accesscontrol lists for each network resource. However, as the control listscan only be defined by the network administrator, it is often difficultto manage data traffic at the resource level.

Wide area networks, such as the Internet, have evolved as a mechanismfor providing distributed computer resources without regard to physicalgeography. Recently, the Internet Print Protocol (“IPP”) has emerged asa mechanism to control access to printing resources over the Internet.However, IPP is replete with deficiencies.

First, as IPP-compliant printing devices are relatively rare, Internetprinting is not readily available.

Second, although IPP allows user identification information to betransmitted to a target resource, access to IPP-compliant resources canonly be changed on a per-resource basis. This limitation can beparticularly troublesome if the administrator is required to changepermissions for a large number of resources.

Third, users must have the correct resource driver and know the IPPaddress of the target resource before communicating with the resource.Therefore, if the device type or the IPP address of the target resourcechanges, users must update the resource driver and/or the IPP address ofthe resource. Also, if a user wishes to communicate with a number ofdifferent resources, the user must install and update the resourcedriver and IPP address for each resource as the properties of eachresource changes.

Fourth, access to IPP printers cannot be obtained without the resourceadministrator locating the resource outside the enterprise firewall, orwithout opening an access port through the enterprise firewall. Whereasthe latter solution provides the resource administrator with the limitedability to restrict resource access, the necessity of opening an accessport in the enterprise firewall exposes the enterprise network to thepossibility of security breaches.

Consequently, there remains a need for a network resource controlsolution which allows resource owners to easily and quickly controlresource access, which is not hindered by changes in device type andresource network address, which facilitates simultaneous communicationwith a number of target resources, and which does not expose theenterprise network to a significant possibility of security breaches.

SUMMARY OF THE INVENTION

According to the invention, there is provided a network resource controlsystem and a method of network resource control which addresses at leastone deficiency of the prior art network resource control systems.

The network resource control system, according to the present invention,allows network users to communicate with network resources, andcomprises a resource registry, an authorization server and anadministration server. The resource registry includes resource recordswhich are associated with the network resources and define at least auser access level for each network resource. The authorization server isin communication with the resource registry and controls network accessto the network resources in accordance with the resource records. Theadministration server is in communication with the resource registry andprovides controlled access to the resource records.

The network resource control method, according to the present invention,facilitates communication between network users and network resources,and comprises the steps of (1) providing a resource registry includingresource records associated with the network resources, the resourcerecords including user access control data; (2) receiving user accesscontrol data from administrators of the network resources forincorporation into the resource records; and (3) in accordance with theuser access control data, configuring the network terminals forcommunication with the network resources.

BRIEF DESCRIPTION OF THE DRAWINGS

The preferred embodiment of the invention will now be described, by wayof example only, with reference to the drawings, in which:

FIG. 1 is a schematic view of the network resource control system,according to the present invention, showing the network terminals, thenetwork resources, the resource registry, the authorization server, theadministration server, the proxy server, and the polling server;

FIG. 2 is a schematic view one of the network terminals depicted in FIG.1, showing the driver application for use with the present invention;

FIG. 3 is a schematic view of the format of the resource recordscomprising the resource database of the resource registry depicted inFIG. 1, showing the network address field, the resource type field, theuser access level field, the resource information field, the pseudo-namefield, the username/password field, and the driver identification field;and

FIG. 4 is a flow chart depicting the method of operation of the networkresource control system.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT

Turning to FIG. 1, a network resource control system, denoted generallyas 100, is shown comprising a network terminal 200, a network resource104, a resource registry 106, an administration server 108, and anauthorization server 110. Typically, the network resource control system100 comprises a plurality of network terminal 200, and a plurality ofnetwork resources 104, however for enhanced clarity of discussion, FIG.1 only shows a single network terminal 200 and a single network resource104.

The network resource control system 100 also includes a communicationsnetwork 112 facilitating communication between the network terminals200, the network resources 104, the administration server 108, and theauthorization server 110. Preferably, the communications network 112comprises a wide area network such as the Internet, however the network112 may also-comprise a local area network. Further, the network 112need not be a land-based network, but instead may comprise a wirelessnetwork and/or a hybrid of a land-based network and a wireless networkfor enhanced communications flexibility.

Each network terminal 200 typically comprises a land-basednetwork-enabled personal computer. However, the invention is not limitedfor use with personal computers. For instance, one or more of thenetwork terminals 200 may comprise a wireless communications device,such as a wireless-enabled personal data assistant, or e-mail-enabledwireless telephone if the network 112 is configured to facilitatewireless data communication. In addition, the invention is not limitedto only facilitating transmission of text data, but instead may be usedto transmit image data, audio data or multimedia data, if desired.

As shown in FIG. 2, the network terminal 200 comprises a networkinterface 202, a user interface 204, and a data processing system 206 incommunication with the network interface 202 and the user interface 204.Typically, the network interface 202 comprises an Ethernet networkcircuit card, however the network interface 202 may also comprise an RFantenna for wireless communication over the communications network 112.Preferably, the user interface 204 comprises a data entry device 208(such as keyboard, microphone or writing tablet), and a display device210 (such as a CRT or LCD display).

The data processing system 206 includes a central processing unit (CPU)208, and a non-volatile memory storage device (DISC) 210 (such as amagnetic disc memory or electronic memory) and a read/write memory (RAM)212 both in communication with the CPU 208. The DISC 210 includes datawhich, when loaded into the RAM 212, comprise processor instructions forthe CPU 208 which define memory objects for allowing the networkterminal 200 to communicate with the network resources 104 and theauthorization server 110 over the communications network 112. Thenetwork terminal 200, and the processor instructions for the CPU 208will be discussed in greater detail below.

Typically, each network resource 104 comprises a printing device, and inparticular, an IPP-compliant printer. However, the invention is notlimited for use with networked printers (IPP-compliant or otherwise),but instead can be used to provide access to any of a variety of datacommunication devices, including facsimile machines, image servers andfile servers. Further, the invention is not limited for use withland-based data communications devices, but instead can be used toprovide access to wireless communications devices. For instance, thenetwork resource control system 100 can be configured to facilitate datacommunication with e-mail pagers or e-mail enabled wireless telephones.

It is expected that some of the network resources 104 may be locatedbehind an enterprise firewall. Accordingly, to facilitate communicationbetween network terminals 200 and firewall-protected network resources104, the network resource control system 100 may also include a proxyserver 114 located logically outside the enterprise firewall, and apolling server 116 located logically within the firewall, as shown inFIG. 1. Preferably, the proxy server 114 is located on-site at theenterprise responsible for administering the network resource 104, isprovided with a network address corresponding to the enterprise, andincludes a queue for receiving application data. However, the proxyserver 114 may also be located off-site, and may be integrated with theauthorization server 110 if desired. This latter option is advantageoussince it allows system administrators to provide access to networkresources 104, but without having to incur the expense of the domainname registration and server infrastructure.

In addition to the proxy server 114 and the polling server 116,preferably the enterprise includes an enterprise server 118 (eg. a printserver) to facilitate communication with the network resources 104located behind the firewall. The polling server 116 is in communicationwith the enterprise server 118, and is configured to periodically pollthe proxy server 114 through the firewall to determine whetherapplication data from a network terminal 200 is waiting in the queue ofthe proxy server 114. The proxy server 114 is configured to transmit anyqueued application data to the polling server 116 in response to thepoll signal from the polling server 116. Upon receipt of the queuedapplication data from the proxy server 114, the polling server 116transmits the application to the enterprise server 118 for distributionto the appropriate network resource 104. As will be apparent, thismechanism allows application data to be transmitted to network resources104 located behind a firewall, but without exposing the enterprise tothe significant possibility of security breaches associated withfirewall access ports.

The resource registry 106 comprises a resource database 120, a driverdatabase 122, and a user registration database 124. The resourcedatabase 120 includes resource records 300 identifying parametersassociated with the network resources 104. As shown in FIG. 3, eachresource record 300 comprises a network address field 302, a resourcetype field 304, and a user access level field 306 for the associatednetwork resource 104. The network address field 302 identifies thenetwork address of the network resource 104. As discussed above,typically each network resource 104 comprises an IPP-compliant printer,in which case the network address field 302 identifies comprises thenetwork resource IPP address. However, in the case where the networkresource 104 comprises a non-IPP-compliant device and the communicationsnetwork 112 comprises the Internet, preferably the network resource 104is linked to the communications network 112 via a suitable server, andthe network address field 302 for the network resource 104 identifiesthe Internet Protocol (“IP”) address of the server.

The resource type field 304 identifies the type of data communicationdevice of the network resource 104. For instance, the resource typefield 304 may specify that the network resource 104 is a printer, animage server, a file server, an e-mail pager, or an e-mail enabledwireless telephone. Further, the resource type field 304 may include aresource type sub-field specifying a sub-class of the network resourcetype. For example, the resource type sub-field may specify that thenetwork resource 104 is an IPP-capable printer, or a non-IPP-capableprinter.

The user access level field 306 identifies the type of communicationsaccess which the network terminals 200 are allowed to have in regards tothe associated network resource 104. In the embodiment, as presentlyenvisaged, the user access level field 306 establishes that the networkresource 104 allows one of:

-   -   (a) “public access” in which any network terminal 200 of the        network resource control system 100 can communicate with the        network resource 104;    -   (b) “private access” in which only members (eg. employees) of        the enterprise associated with the network resource 104 can        communicate with the network resource 104; and    -   (c) “authorized access” in which only particular network        terminals 200 can communicate with the network resource 104.

If the user access level field 306 specifies “authorized access” for anetwork resource 104, preferably the user access level field 306includes a sub-field which lists the names of the network terminals 200authorized to access the network resource 104, and a sub-field whichincludes an authorization password which the identified networkterminals 200 must provide in order to access the network resource 104.If the user access level field 306 specifies “private access” for anetwork resource 104, preferably the user access level field 306includes a sub-field which lists the network address of the networkterminals 200 which are deemed to members of the enterprise.

It should be understood, however, that the user access level field 306is not limited to identifying only the foregoing predefined user accesslevels, but may instead identify more than one of the predefined useraccess levels, or other user access levels altogether. For instance, theuser access level field 306 may identify that the associated networkresource 104 allows both private access to all employees of theenterprise running the network resource 104, and authorized access toother pre-identified network terminals 200. Further, the user accesslevel field 306 may also include one or more sub-fields (not shown)which provide additional restrictions/permissions on the type ofcommunications access which the network terminals 200 are allowed tohave in regards to the associated network resource 104. For instance,the user access level sub-fields may limit the hours of operation of thenetwork resource 104, or may place restrictions on the type of accesslimitations on a per-user basis, or per-group basis. Other variations onthe type of access will be readily apparent, and are intended to beencompassed by the scope of the present invention.

Preferably, each resource record 300 includes an information field 308which provides information on the network resource 104, such as datahandling capabilities, resource pricing and geographical co-ordinates.This latter parameter is particularly advantageous for use with mobilenetwork terminals 200, such as a wireless-enabled personal dataassistant or an e-mail-enabled wireless telephone, since it allows thenetwork terminal 200 to identify the nearest one of a plurality ofavailable network resources 104. This aspect of the invention will beexplained in greater detail below.

Each resource record 300 also includes a pseudo-name field 310, ausername/password field 312 and a network driver identifier field 314.The pseudo-name field 310 contains a resource pseudo-name whichidentifies the network resource 104 to the network terminals 200.Preferably, the pseudo-name is a network alias that identifies thephysical location and properties of the network resource 104, but doesnot identify the network address of the resource 104. Further,preferably each pseudo-name uniquely identifies one of the networkresources 104, however a group of the network resources 104 may bedefined with a common pseudo-name to allow communication with a group ofnetwork resources 104. This latter feature is particularly advantageoussince it allows the administrator of an enterprise associated with thegroup of network resources to dynamically allocate each network resource104 of the group as the demands for the network resources 104 ormaintenance schedules require.

In addition, preferably the resource record 300 includes a plurality ofthe pseudo-name fields 310 to allow the administrator of the associatednetwork resource 104 to update the name assigned to the network resource104, while also retaining one or more previous pseudo-names assigned tothe network resource 104. As will be explained, this feature isadvantageous since it allows the administrator to update a resource namewithout the risk that network terminals 200 using a prior pseudo-namewill be unable to locate or communicate with the network resource 104.

The username/password field 312 contains a unique username and passwordcombination which allows the administrator of the associated networkresource 104 to prevent authorized access and alteration to the datacontained in the resource record 300. Preferably, each resource record300 also includes an e-mail address field (not shown) which the networkresource control system 100 uses to provide the administrator of theassociated network resource 104 with a notification e-mail message whena message is successfully transmitted to the network resource 104.

The driver identifier field 314 contains a resource driver identifierwhich is used in conjunction with the driver database 122 to provide thenetwork terminals 200 with the appropriate resource driver forcommunication with the network resource 104. The driver database 122includes resource drivers which allow software applications installed onthe network terminals 200 to communicate with the network resources 104.As will be explained below, in order for a network terminal 200 tocommunicate with a selected network resource 104, the network terminal200 first downloads a driver application data from the administrationserver 108 over the communications network 112. The network terminal 200may also download the appropriate resource driver from the driverdatabase 122 (via the authorization server 110 over the communicationsnetwork 112), and then allow the authorization server 110 to configurethe downloaded resource driver in accordance with the access level field306 of the resource record 300 associated with the selected networkresource 104. Preferably, each resource driver includes a resourcedriver identifier which allows the authorization server 110 to identifythe resource driver which the network terminal 200 has downloaded.

The driver application will now be discussed in association with FIG. 2.As discussed above, the DISC 210 of the network terminal 200 includesdata which, when loaded into the RAM 212 of the network terminal 200,comprise processor instructions for the CPU 208. As shown, thedownloaded driver application data defines in the RAM 212 a memoryobject comprising a driver application 400. The driver application 400includes a generic resource driver 402 and a wrap-around resource driverlayer 404. The generic resource driver 402 allows the network terminal200 to communicate with a variety of different network resources 104,however the generic resource driver 402 typically will not provide thenetwork terminal 200 with access to all the features and capabilities ofany particular network resource 104. If the network terminal 200requires additional features not implemented with the generic resourcedriver 402, the appropriate resource driver may be downloaded from thedriver database 116, as mentioned above.

The wrap-around driver layer 404 includes an application communicationlayer 406, a driver administrator layer 408, and a data transmitterlayer 410. The application communication layer 406 is in communicationwith the resource driver 402 (generic or network resource specific) andthe application software installed on the network terminal 200, and isconfigured to transmit user application data between the applicationsoftware and the resource driver 402. The driver administrator layer 408communicates with the resource registry 106 over the communicationsnetwork 112 to ensure that the driver application 400 is properlyconfigured for communication with the selected network resource 104. Thedata transmitter layer 410 is in communication with the resource driver402 and is configured to transmit the data output from the resourcedriver 402 over the communications network 112 to the selected networkresource 104, via the network interface 202. Although the driverapplication 400 and its constituent component layers are preferablyimplemented as memory objects or a memory module in the RAM 212, it willbe apparent that the driver application 400 may instead be implementedin electronic hardware, if desired.

Returning to FIG. 1, the registration database 124 of the resourceregistry 106 includes user records each uniquely associated with a userof a respective network terminal 200 upon registration with the networkresource control system 100. Each user record identifies the name theregistered user's name, post office address and e-mail address. Inaddition, each user record specifies a unique password which theregistered user must specify in order to update the user's user record,and to obtain access to network resources 104 configured for “authorizedaccess”. The user record may also include additional informationspecifying default options for the network resource control system 100.For instance, the user may specify that the network resource controlsystem 100 should provide the user with an acknowledgement e-mailmessage when a message is successfully transmitted to a selected networkresource 104. The user may also specify an archive period for which thenetwork resource control system 100 should archive the messagetransmitted to the selected network resource 104. This latter option isadvantageous since it allows the user to easily transmit the samemessage to multiple network resources 104 at different times, and toperiodically review transmission dates and times for each archivemessage.

The administration server 108 is in communication with the resourcedatabase 120 and the registration database 124. The administrationserver 108 provides administrators of the network resources 104 withaccess to the records of the resource database 120 to allow theadministrators to update the network address field 302, the resourcetype field 304, the user access level field 306, the resourceinformation field 308, the pseudo-name field 310, the username/passwordfield 312 and/or the driver identifier field 314 of the resource record300 for the associated network resource 104. As will become apparent,this mechanism allows network administrators to change, for example, thenetwork address and/or the restrictions/permissions of the networkresources 104 under their control, or even the network resource 104itself, without having to notify each network terminal 200 of thechange. The administration server 108 also provides controlled access tothe registration database 124 so that only the user of the networkterminal 200 which established the user record can update the userrecord.

Where the username/password field 312 has been completed, theadministration server 108 is configured to block access to the resourcerecord 300 until the administrator provides the administration server108 with the correct username/password key. This feature allows theresource administrator to make adjustments, for example, to pricing andpage limit, in response to demand for the network resources 104, and tomake adjustments to the restrictions/permissions set out in the useraccess level field 306 and the resource information field 308 andthereby thwart unauthorized access to the network resources 104.

The authorization server 110 is in communication with the resourcedatabase 120 and the driver database 122 for providing the networkterminals 200 with the resource drivers 402 appropriate for the selectednetwork resources 104. Preferably, the authorization server 110 is alsoconfigured to configure the driver application 400 for communicationwith the selected network resource 104, by transmitting the networkaddress of the selected network resource 110 to the data transmitterlayer 410 over a communications channel secure from the user of thenetwork terminal 200 so that the network address of the network resource104 is concealed from the user of the network terminal 200. In the casewhere the communications network 112 comprises the Internet, preferablythe secure communications channel is established using the SecureSockets Layer (“SSL”) protocol.

In addition to the network terminal 200, the network resource 104, theresource registry 106, the administration server 108, the authorizationserver 110, and the communications network 112, preferably the networkresource control system 100 also includes a transaction server 126 andan archive server 128. The transaction server 126 is in communicationwith the authorization server 10 for keeping track of each data transferbetween a network terminal 200 and a network resource 104. For eachtransmission, preferably the transaction server 126 maintains atransmission record identifying the network terminal 200 whichoriginated the transmission, the network resource 104 which received thetransmission, and the date, time and byte size of the transmission.

The archive server 128 is configured to retain copies of the datatransmitted, for a specified period. As discussed above, the user of anetwork terminal 200 specifies the requisite archive period (if any) forthe data transmission, upon registration with the network resourcecontrol system 100. Preferably, the administration server 108 providescontrolled access to the transaction server 126 and the archive server128 so that only the user of the network terminal 200 which originatedtransmission of the data is allowed access to the transmission recordassociated with the transmission.

The process by which a user of a network terminal 200 can communicatewith a network resource 104 will now described with reference to FIG. 4.The following discussion presupposes that the user of the networkterminal 200 has downloaded the driver application 400 from theadministration server 108 over the communications network 112. At step500, the user of a network terminal 200 decides whether to log in to thenetwork resource control system 100. As discussed above, if the userregisters with the network resource control system 100 and subsequentlylogs in to the network resource control system 100 (by providing theauthorization server 106 with the user's assigned password), the userwill have access to any network resources 104 which have “authorizedaccess” as the user access level and which have identified theregistered user as a user authorized to access the network resource 104.If the user does not register or fails to log in to the network resourcecontrol system 100, the user will only have access to network resources104 which have established “public access” as the user access level.

At step 502, the user selects a network resource 104 by querying theadministration server 108 for a list of available network resources 104.Alternately, the user may postpone selection of a network resource 104until initiation of the transmission command. The network user query maybe based upon any desired criteria, including print turn-around time andpage size (where the target network resource 104 is a printer), price,and geography. In addition, the user may provide the administrationserver 108 with the geographical coordinates of the user to determinethe user's nearest network resources. The user may provide itsgeographical coordinates through any suitable mechanism known to thoseskilled in the art, including, latitude/longitude co-ordinates, GPS, andwireless triangulation.

If the user requested a list of available network resources 104, theuser is provided with a list of pseudo-names associated with eachnetwork resource 104 satisfying the designated search criteria. Asdiscussed above, if the user logged in to the network resource controlsystem 100, the pseudo-name list will include both “public access”network resources 104 and “authorized access” network resources 104 withwhich the user has been authorized to communicate. Also, if the user ismember of an enterprise having network resources 104 registered with thenetwork resource control system 100, the pseudo-name list will alsoidentify network resources 104 which have been registered by theenterprise for “private access”. Otherwise, the pseudo-name list willonly identify network resources 104 registered for public access. Uponreceipt of the resource list, the user selects a network resource 104from the list.

At step 504, the administration server 108 queries the network user'snetwork terminal 200 for the resource driver identifier of the resourcedriver 402 configured on the network terminal 200, and then compares theretrieved resource driver identifier against the resource driveridentifier specified in the network driver identifier field 314 of theresource record 300 associated with the selected network resource 104 todetermine whether the driver application 400 has been configured withthe appropriate resource driver 402 for communication with the networkresource 104. If the network terminal 200 has not been configured withthe appropriate resource driver 402, the administration server 108prompts the user's network terminal 200 to download the necessaryresource driver 402. As will be apparent, the downloaded resource driver402 becomes part of the driver application 400.

When the user of the network terminal 200 is ready to communicate withthe selected network resource 104, the user of the network terminal 200transmits a transmission request via its application software to thedriver application 400, at step 506. If the user did not select anetwork resource 104 at step 502, the application communication layer406 of the driver application 400 contacts the administration server 108over the communications network 112 and prompts the user to select anetwork resource 104, as described above. Once a network resource 104 isselected, and the appropriate resource driver 402 is installed, theapplication communication layer 406 notifies the driver administratorlayer 408 of the transmission request.

At step 508, the driver administrator layer 408 provides theauthorization server 110 with the transmission request and identifiesthe selected network resource 104, by transmitting to the authorizationserver 110 the pseudo-name assigned to the selected network resource104. If the user of the network terminal 200 has registered and loggedin to the network resource control system 100, the driver administratorlayer 408 also provides the authorization server 110 with the registereduser's name.

The authorization server 110 then queries the resource database 120 withthe received pseudo-name for the resource record 300 associated with thepseudo-name, at step 510. The authorization server 110 then extracts theuser access level from the user access level field 306 of the retrievedresource record 300, and determines whether the network terminal 200 isauthorized to communicate with the selected network resource104, at step512. As will be apparent from the foregoing discussion, if the useraccess level field 306 specifies “public access” for the networkresource 104, the network terminal 200 will be automatically authorizedto communicate with the network resource 104.

However, if the user access level field 306 specifies “private access”for the network resource 104, the authorization server 110 determinesthe network address of the network terminal 200 from the transmissionrequest transmitted by the network terminal 200, and then queries theuser access level sub-field with the terminal's network address todetermine whether the network terminal 200 is authorized to communicatewith the network resource 104. In the case where the communicationsnetwork 112 comprises the Internet, the authorization server 110 candetermine the network terminal's network address from the IP packetsreceived from the network terminal 200. On the other hand, if the useraccess level field 306 specifies “authorized access” for the networkresource 104, the authorization server 110 queries the user access levelsub-field with the user's name to determine whether the network terminal200 is authorized to communicate with the network resource104.

If the query at step 512 reveals that the network terminal 200 is notauthorized to communicate with the network resource 104, at step 514 theauthorization server 110 provides the network terminal 200 with anotification that the network terminal 200 is not authorized forcommunication with the selected resource 104. However, if the query atstep 512 reveals that the network terminal 200 is authorized tocommunicate with the network resource 104, the authorization server 110queries the network address field 302 of the resource record 300associated with the network resource 104 for the network address of thenetwork resource 104. The authorization server 110 then establishes asecure communications channel with the driver administrator layer 408,and then transmits the network address to the driver administrator layer408 over the secure communications channel, at step 516.

Also, if the user access level field 306 specifies “authorized access”for the network resource 104, and the network terminal 200 is authorizedto communicate with the network resource 104, the authorization server110 queries the user access level sub-field for the authorizationpassword assigned to the network resource 104, and then transmits theauthorization password to the driver administrator layer 408 over thesecure communications channel, together with the network address. In thecase where the communications network 112 comprises the Internet,preferably the authorization server 110 establishes the securecommunications channel using a Secure Sockets Layer (“SSL”) protocol.Since the network address and the authorization password are transmittedover a secure communications channel, this information is concealed fromthe user of the network terminal 200.

Preferably, the authorization server 110 also extracts the resourcedriver identifier from the resource identifier field 314 of the resourcerecord 300, and determines whether the network terminal 200 is stillproperly configured for communication with the network resource 14. Ifthe network terminal 200 no longer has the correct resource driver 402,the authorization server 110 queries the driver database 122 for thecorrect resource driver 402, and prompts the user of the networkterminal 200 to download the correct resource driver 402. This driverconfiguration verification step may be performed concurrently orconsecutively with the network address providing step described in thepreceding paragraph.

In addition, the administration server 108 queries the registrationdatabase 124 to determine whether the user of the network terminal 200registered with the network resource control system 100. If the userregistered with the network resource control system 100 and specifiedthat the archive server 128 should maintain archival copies of datatransmissions, the administration server 108 transmits the networkaddress of the archive server 128 to the driver administrator layer 408.As a result, when the user of the network terminal 200 issues a datatransmission command, the driver application 400 will transmit the userapplication data to the selected network resource 104 and to the archiveserver 128.

At step 518, the application communication layer 406 passes theapplication data received from the application software to the resourcedriver 402 for translation into a format suitable for processing by theselected network resource 104. Meanwhile, the driver administrator layer408 interrogates the network resource 104, using the received networkaddress, to determine whether the network resource 104 still resides atthe specified network address, is operational and is on-line.

If the interrogated network resource 104 resides at the specifiednetwork address, is operational and is on-line. online, the resourcedriver 202 passes the translated application data to the datatransmitter layer 410 of the driver application 400. Preferably, thedata transmitter layer 410 compresses and encrypts the translatedapplication data upon receipt. The data transmitter layer 410 alsoreceives the network address of the network resource 104 from the driveradministrator layer 408, adds the network address data to thecompressed, encrypted data, and then transmits the resulting data overthe communications network 112 to the network resource 104 at thespecified network address, at step 520.

Preferably, the data transmitter layer 410 also transmits details of thetransmission to the transaction server 126, such as the selected networkresource 104 and the byte size of the transmission. Upon receipt of thetransmission details, preferably the administration server 108 queriesthe resource database 120 and the user registration database 124 for thee-mail address of the resource administrator and the e-mail address ofthe user of the network terminal 200, if provided, and then transmits anemail message indicating completion of the transmission.

If the user access level field 306 specifies “authorized access” for thenetwork resource 104, the data transmitter layer 410 also-receives theauthorization password for the network resource 104 from the driveradministrator layer 408, and transmits the authorization password (aspart of the compressed, encrypted data) to the network resource 104.

If the user access level field 306 specifies “public access” for thenetwork resource 104, preferably the network resource 104 is accessiblethrough a local server which serves to queue, decrypt and decompress theapplication data, and extract the network address data, and thentransmit the decompressed application data to the appropriate networkresource 104. Alternately, the network resource 104 itself may beconfigured for direct communication over the communications network 112,such as an IPP-capable printer, so that the network resource 104 is ableto process the application data directly.

If the user access level field 306 specifies “authorized access” for thenetwork resource 104, preferably the network resource 104 is accessiblethrough a local server which serves to queue, decrypt and decompress theapplication data, and extract the network address data and authorizationpassword, and then transmit the application data to the appropriatenetwork resource 104 if the received authorization password is valid.

If the user access level field 306 specifies “private access” for thenetwork resource 104, typically the network resource 104 will be locatedbehind a firewall. Accordingly, the proxy server 114 associated with thenetwork resource 104 will receive the application data, and transfer theapplication data to the proxy server queue. The polling server 116associated with the network resource 104 will poll the proxy server 114to determine the status of the queue. Upon receipt of a polling signalfrom the polling server 116, the proxy server 114 transmits any queuedapplication data from the proxy server queue, through the firewall, tothe polling server 116. The polling server 116 then extracts the networkaddress from the received application data, and transmits theapplication data to the appropriate server 118 or network resource 104for processing.

As will be apparent from the foregoing discussion, regardless of theuser class defined for a network resource 104, if a resourceadministrator relocates a network resource 104 to another networkaddress, and/or changes the device type and/or restrictions/permissionsassociated with the network resource 104, the resource administratorneed only update the resource record 300 associated with the networkresource 104 to continue communication with the network resource 104.Subsequently, when a user attempts communication with the networkresource 104 using the original pseudo-name, the authorization server110 will provide the administrator layer 408 with the updated networkaddress of the network resource 104, or prompt the user to download theappropriate resource driver 402, assuming that the network terminal 200is still authorized to communicate with the network resource 104.

Further, if the user access level field 306 specifies “authorizedaccess” for the network resource 104 and the resource administratordesires to change the pseudo-name and authorization password associatedwith the network resource 104, the resource administrator need onlyupdate the pseudo-name and authorization password provided on theresource record 300. Subsequently, when a user of a network terminal 200initiates communication with the network resource 104 using the originalpseudo-name, the authorization server 110 scans the resource records 300for occurrences of the original pseudo-name. After locating theappropriate resource record 300, the authorization server 110 providesthe driver administrator layer 408 with the updated pseudo-name andauthorization password of the network resource 104, provided that thenetwork terminal 200 is still authorized to communicate with the networkresource 104. A network terminal 200 which is not authorized tocommunicate with the network resource 104 will not receive the updatedpseudo-name and authorization password from the authorization server 110and, consequently, will not be able to communicate with the networkresource 104, even if the user of the network terminal 200 knew thenetwork address for the network resource 104.

The foregoing description is intended to be illustrative of thepreferred embodiment of the present invention. Those of ordinary skillmay envisage certain additions, deletions and/or modifications to thedescribed embodiment which, although not explicitly described herein,are encompassed by the spirit or scope of the invention, as defined bythe claims appended hereto.

1. A network resource control system for facilitating communicationbetween a network terminal and a selected network resource device over anetwork for communication of translated source data from the networkterminal to the network resource device, the network resource controlsystem comprising: a resource registry including resource configurationdata associated with the selected network resource device, the resourceconfiguration data defining a user access level for a degree ofcommunication access the network terminal is to have with the networkresource device, the resource configuration data further including adriver identifier for a resource driver associated with the selectednetwork resource device, the resource driver for translating source datato produce the translated source data in a format suitable forprocessing by the network resource device; an authorization server incommunication with the resource registry for receiving a request fromthe network terminal for communication access to the selected networkresource device, the request configured to include a device identifierassociated with the selected network resource device and userconfiguration data associated with the network terminal, theauthorization server being configured for accessing the resourceconfiguration data associated with the request device identifier todetermine if the network terminal is authorized for the defined useraccess level based on the user configuration data and to determine ifthe network terminal is configured with the resource driver associatedwith the driver identifier.
 2. The system according to claim 1, whereinthe authorization server is configured to configure the resource driverin accordance with a correspondence between the user configuration dataof the network terminal and the user access level associated with thenetwork resource device.
 3. The system according to claim 1, wherein theresource configuration data is configured for access by an administartorof the network resource device, and the authorization server isconfigured to receive from the administrator a request for access to theuser access level, to verify authorization for the access, and to updatethe user access level in accordance with the verification.
 4. A methodfor facilitating communication between a network terminal and a selectednetwork resource device over a network for communication of translatedsource data from the network terminal to the network resource device,the method comprising the steps of: providing a resource registryincluding resource configuration data associated with the networkresource device, the resource configuration data defining a user accesslevel for a degree of communication access the network terminal is tohave with the network resource device, the resource configuration datafurther including a driver identifier for a resource driver associatedwith the network resource device, the resource driver for translatingsource data to produce the translated source data in a format suitablefor processing by the network resource device; receiving a request forcommunication access from the network terminal to the selected networkresource device, the request configured to include a device identifierassociated with the selected network resource device and userconfiguration data associated with the network terminal; accessing theresource configuration data associated with the request deviceidentifier to determine if the network terminal is authorized for thedefined user access level based on the user configuration data; anddetermining if the network terminal is configured with the resourcedriver associated with the driver identifier.
 5. The method according toclaim 4, further comprising the step of configuring the resource driverin accordance with a correspondence between the user configuration dataof the network terminal and the user access level associated with thenetwork resource device.
 6. The method according to claim 4, wherein theresource configuration data is configured for access by an administratorof the network resource device, and the method comprises the steps ofreceiving from the administrator a request for access to the user accesslevel, verifying authorization for the access and updating the useraccess level in accordance with the verification.
 7. The systemaccording to claim 1, wherein the network resource device is selectedfrom the group comprising a printer, a facsimile machine, an imageserver, a file server, an e-mail pager, and an e-mail enabled wirelesstelephone.
 8. The system according to claim 1, wherein the translatedsource data is selected from the group comprising: text; image; andmultimedia data.
 9. The system according to claim 1, wherein the useraccess level establishes that the network resource device allows publicaccess, such that any network terminal of the network resource controlsystem can communication with the network resource device.
 10. Thesystem according to claim 1, wherein the user access level establishesthat the network resource device allows private access such that onlymembers of an enterprise associated with the network resource device cancommunicate with the network resource device.
 11. The system accordingto claim 1, wherein the user access level establishes that the networkresource device allows authorized access such that only particularnetwork terminals of the system can communicate with the networkresource device.
 12. The system according to claim 1, wherein the useraccess level is one of multiple predefined access levels in relation tothe network resource device.
 13. The system according to claim 3,wherein the authorization server sends an e-mail message to theadministrator of the network resource device when there is acommunication of translated source data from the network terminal to thenetwork resource device.
 14. The method according to claim 4, whereinthe network resource device is selected from the group comprising aprinter, a facsimile machine, an image server, a file server, an e-mailpager, and an e-mail enabled wireless telephone.
 15. The methodaccording to claim 4, wherein the translated source data is selectedfrom the group comprising: text; image; and multimedia data.
 16. Themethod according to claim 4, wherein the user access level establishesthat the network resource device allows public access such that anynetwork terminal with access to the network can communicate with thenetwork resource device.
 17. The method according to claim 4, whereinthe user access level establishes that the network resource deviceallows private access such that only members of an enterprise associatedwith the network resource device can communicate with the networkresource device.
 18. The method according to claim 4, wherein the useraccess level establishes that the network resource device allowsauthorized access such that only particular network terminals withaccess to the network can communicate with the network resource device.19. The method according to claim 4, wherein the user access level isone of multiple predefined access levels in relation to the networkresource device.
 20. The method according to claim 4 further comprisingthe step of sending an e-mail message to an administrator of the networkresource device when there is a communication of translated source datafrom the network terminal to the network resource device.